External Threat Management

The Threat Landscape is Dynamic and Ever-Changing — Can You Keep Up?

Attack surfaces are massive — and significantly different than they were in the past. Not long ago, cyber security for an organization was like defending a building — a relatively straightforward, one-dimensional task. But organizations today have turned into sprawling cities, with expanding neighborhoods, unmapped alleyways, and every-changing borders — yet, in many ways, many organizations are still defending this new, broader attack surface as they did more than a decade ago. 

In today's enterprise attack surface, there's simply far more available for threat actors to target than ever before. Additionally, the less awareness an organization has of their attack surface, the slower they can respond to attacks when they happen.

There are now so many ways organizations leave themselves vulnerable to attack, from sophisticated phishing attacks to ransomware to missed misconfigurations during rapid deployments. While the attack surface was already difficult to manage, the move to remote work during the pandemic changed it again—literally overnight.

This new reality is why organizations need an operationalized approach to security intelligence: not just to respond when there's an attack, but to know exactly the line of defense, how to defend it, and from whom they're defending it. 

Busy Times in Cybersecurity

It's been a busy year in cybersecurity, with the SolarWinds, Microsoft Exchange, and the Colonial Pipeline incidents redefining how ubiquitous cyberattacks can be. Threat actors are not only targeting big, but they're targeting small as well, and their attack strategies are constantly changing and adapting as they learn more information and share it amongst themselves.

Here are just a few examples from this past year that can show you the massive extent to which attacks can affect organizations and people and show you how you always have to be prepared for what's to come.

Fox Kitten: Many employees moved to remote work, accessing their workplace's network at home via VPN and RDP services — which is precisely what Iranian APT actors are targeting. Unprepared organizations that went remote to protect their workers may have left themselves exposed, as VPN vulnerabilities are an entry point for malicious actors. Once inside, these actors set up backdoors and long-term footholds and release ransomware attacks.

FireEye: What happens when malicious actors steal the tools of a cybersecurity company, exploit them, and use them for their own gain? That's exactly what happened in March 2020 when Chinese actor APT41 began exploiting vulnerabilities in organizations that are customers of FireEye, a cyber-attack defense company — and did so through web-facing routers and desktop administration software. They were able to steal the tools that FireEye uses to run assessments for their clients.

Microsoft Exchange: In March 2021, state-sponsored threat actor HAFNIUM targeted on-prem Microsoft Exchange servers, exploiting four zero-day vulnerabilities. Once the POC was issued, a dozen more threat actors joined in, releasing ransomware and compromising over 400,000 servers — including Acer computer's servers, ransomed for $50 million. Organizations responded to updates and patches, but the response was slow.

Understanding the Dynamic Threat Landscape

So what do these examples show us? First, that the threat landscape is dynamic. It's not only changing on the organizational side when systems update or operations shift. Threat actors are scanning for vulnerabilities and constantly modifying their approaches as well. It's an ever-evolving battle that organizations have to engage in and have to win.

Attack surfaces are also growing more complex and more decentralized. The move to remote work widened the surface because no longer were workers at an office under the secure network; they were working on VPNs via personal internet connections, which changed the endpoints and expanded the surface. Organizations also see their attack surface expanded as they adopt new devices that also need to be covered or move workloads and applications into the cloud.

It's not just vulnerabilities leaving organizations exposed, but unawareness as well. RiskIQ worked with Microsoft during the Exchange server attack to help them understand the scope of compromised servers and help organizations patch their systems. We found that many organizations didn't realize they had servers exposed to the internet. Their unawareness lost them precise response time, leaving room for further exploitation. We also found the same issue last year during the Exim mail server attack, where the rollout of patches was slow, leaving time for malicious actors to strike.

If the attack surface is dynamic, and if threat actors are relentless in their onslaught against it, then threat intelligence needs to be dynamic and relentless to provide organizations with actionable, timely, and relevant ways to protect themselves.

Where Can Organizations Start?

Proactively protecting your organization starts with having a solid foundation of security:

  • Auditing your systems and assets to know what your attack surface is.
  • Shrinking your attack surface and reducing complexity.
  • Compiling the right security-minded team.
  • Modeling threats.
  • Having a response plan.

Then, build upon your current threat intelligence by compiling an inventory of the common attacks used against your organization, including profiles of the actors and the vulnerabilities they use to exploit you. As you do this, you'll start to see patterns in what they target and how and begin to recognize their TTPs, which will help you not only understand their next moves but help you funnel your resources towards actionable offense as well.

Continue to track your attack surface as it develops — to new devices, to the cloud, to remote access — and as you implement new applications or digital initiatives, ask how they'll impact your attack surface in the future.

Also, continue to share resources in the cybersecurity community as well. After the Ryuk attack against hospitals last year, RiskIQ released the information we had collected about the strain of ransomware Ryuk used, exposing all known infrastructure to help federal officials and compromised organizations understand the extent of the attack. FireEye also released the relevant IOCs it found. Organizations never have to start from scratch when it comes to security and can leverage tools and intelligence from others who have been studying the threat landscape for longer.

Making Security Manageable

A constantly expanding attack surface continuously monitored by entities looking for a way in can seem daunting to manage. But leveraging the tools already out there, creating a solid foundation of monitoring and execution in your organization, and spending time knowing how the enemy attacks can help build your defenses and keep your organization safe.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor